vicidial.org

[duncanb]

Hi All,

A client of ours wants to have agents connecting remotely to the "normal" agent page, and they have requested that it go over HTTPS so it is secure. However we have a number of concerns and were hoping to get feedback from both developers and the community as to whether this is a good idea. The client considers VPN too difficult to manage.

Firstly while HTTPS encrypts the traffic, the agent interface will obviously be exposed to the internet. Can the interface itself be considered secure? I've worked quite a bit in the code behind the agent page and would be very concerned to face it to the internet myself. Obviously all passwords would have to be secure too which might be problematic for agents.

There is also all the JavaScript in the agent page that calls vdc_db_query.php over HTTP and that would send information (including agent passwords) over the internet in cleartext. Has anybody has success in changing this to HTTPS? Is there a performance concern?

There are 6 active web servers in this Vicidial cluster and we are currently using balance to do load balancing between them. Has anybody had any success using balance with both HTTP *and* HTTPS? Or should we then look at something more like nginx?

Most importantly: is this a good idea?

Regards,
Duncan

[mflorell]

Yes, everything in VICIdial can work with HTTPS, and since it is a requirement for using WebRTC phones, we have quite a lot of VICIdial clusters(hundreds) that operate that way. The AJAX side of things follows what the main page you are on uses, so that's not an issue, and performance is not an issue.

As for secure passwords, you can enable password encryption within VICIdial if you want, but we currently have no feature that will enforce selection of secure passwords by users within the system, only guidelines.

[duncanb]

Hi Matt,

Thanks for the feedback. We'll give it a shot then.

Regards,
Duncan

[duncanb]

Ummm... actually... just one more thing...

Would you consider it secure to expose the Vicidial agent interface the the internet? Even with HTTPS?

[williamconley]

Ummm... actually... just one more thing...

Would you consider it secure to expose the Vicidial agent interface the the internet? Even with HTTPS?

NO

http://viciwiki.com/index.php/DGG

Creates a special link to allow self-authorization through the firewall. Without the link, all anyone will get is a 404 not found if on the special port and NOTHING if not on the special port.

You can create a link for each remote/portable user or share one link among many.

[mflorell]

There is a feature built into VICIdial called "IP Lists" that allows you to use IP Address whitelists for all web screens on a per-User Group basis.

[duncanb]

Thanks for the feedback Matt and William. Definitely useful stuff.

Have an excellent day!